• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
ngpc

USB Access Problem

82 posts in this topic

Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?

ngpc

0

Share this post


Link to post
Share on other sites
Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?

ngpc

Yep.

You did not make properly the [Geometry] change.

Re-check settings in the [Geometry] section:

Cylinders=1

Heads=64

Sectors=32

Sector Size=512

and you will get the 987/18/25. ;)

jaclaz

0

Share this post


Link to post
Share on other sites

Hey Jaclaz,

I just take a risk to try the remaining recovery procedure as I am so eager to see the result... So you bet... I finally GOT it... Wow, EXCELLENT !

All the file are back, they are back...... A very BIG THANKS to YOU.... I really appreciate your patience and professional advise...

I learnt a lot from this process and have much fun.... Interesting !

BTW, there is still a few questions here, can you help me to claify a bit:

As I reopened the image file, I found my useful file as well as some Virus files or virus information.

So my question is :

1/ Will the virus file still have effect on my C drive when I copy the data from this USB_full image file back to my C drive ?

2/ When I use the virus cleaning program to scan the G: virtual drive, it detect the Virus (See attached txt file) and going to kill them, so does it mean that the virus will become inactive (seems sleeping) when the USB_full image is not being recovered, but when it is being recovered now, the virus become active and will start to infect other drives who ever came across it ?

3/ Before I format my Defective USB , if I plug it into the computer , will the virus infect my computer ?

4/ Will the stand alone USB_full image file which has the virus file lock inside become active if I keep the image file ?

Curious to know that...

Thanks !

ngpc

TDisk_retrieving_record_eith_Virus_info.txt

Virus_Scan_Result_2009_5_23_after_USB_full_IMG_on_Virtual_Disk.txt

0

Share this post


Link to post
Share on other sites

Happy to hear about a happy ending. :)

Virii "for USB sticks" are generally triggered by the stupid (I know no better English word to describe it :whistle:) feature of Windows XP (and later I think :unsure: ) that tries to access "automagically" anything connected to the USB port and tries to Print, or Play or Open or whatever.

The culprit is the autorun.inf file, which is executed by the above mentioned stupid feature.

An Image file is not accessed the same way, so it is relatively safe.

Scan files in the image and your anti-virus should get rid of the things allright.

Since Windows cannot read properly your damaged stick, it shouldn't be a problem of reinfection.

Thus answer to all your questions is NO. ;)

What you should do next would be to WIPE your stick (as opposed to re-formatting it)

Get mksparse:

http://www.acc.umu.se/~bosse/

unzip it in the usual directory C:\DSFOK

(I presume that the C:\ volume has a NTFS filesystem, otherwise use a NTFS one)

Create a new sparse file the size you got from dsfo originally:

mksparse C:\dsfok\USB_empty.img 1035206656

The file, being sparse will occupy only a bunch of Kbytes instead of it's full size, and it will be full to the brim of 00's.

If the temporary occupation of about 1 Gb by the file is not a problem, you can use fsz that is already in the DSFOK you have.

Now, use dsfi to completely overwrite your stick:

dsfi \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_empty.img

Remove and re-insert stick.

Now, use RMPREPUSB.EXE (advised):

http://www.boot-land.net/forums/index.php?showtopic=7739

to format your stick. (this will create a "properly formatted" stick including a MBR, i.e. HD-like, if you use XP Disk Management it will format the stick as super-floppy, unless you use a filter driver, that I guess it's out of the scope of this thread)

Using the re-known "HP utility" will work as well, though it will create "better-than-the-current-lousy-one" , but still unbalanced CHS/LBA partition table, which is more likely to cause problems in the future.

Remove and re-insert stick.

Then, get ninja pendisk :thumbup :

http://nunobrito.eu/ninja/

http://www.boot-land.net/forums/?showtopic=4350

http://nunobrito.eu/ninja/forum/

and use it. ;)

BTW, and just as a general advice for the future, a not-so-well-known "trick" on FAT16 and FAT32 filesystems, in order to increase the possibilities of recovering files is to avoid if possible to put files in the ROOT, but rather use Directories or sub-directories to store them.

:hello:

jaclaz

0

Share this post


Link to post
Share on other sites
I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

Hi,

I finally retrieve all my data from the USB by following the process, you can try and see if this can help your situation...

Jaclaz's trouble shooting is really professional...

You can check it out yourself...

ngpc

0

Share this post


Link to post
Share on other sites

HI Jaclaz,

Just a curious question !

I just suppose I can use the XP format function to reformat my usb, it seems there is still a lot of steps to reformat it...

May I know that "

What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

I know your procedure may trying to config the usb in a new structure ...

Sure, I will try your procedure and learn more about that, it is interesting.

While I just want to learn more if there is any technical reasons...

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF

-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?

Like to hear more !

Thanks !

ngpc

Edited by ngpc
0

Share this post


Link to post
Share on other sites
What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

Basically 2K/XP/2003 check if a flag in the controller of the USB device is set as either "Fixed" or "Removable".

If it detects it as "Removable" it won't:

  • allow partitioning the device
  • allow access to any partition but the first (Active) one (if the device is actually partitioned)

BUT, if it finds a MBR, it will "trust" information in it and allow to format the single partition it can access.

99.99% (read ALL) USB sticks have this flag in the controller set as "Removable"

ALL USB Hard Disks and USB Hard Disks enclosures have this flag in the controller set as "Fixed"

99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

If you Format from XP a stick that HAS NOT a valid MBR, it will be formatted as "super-floppy".

The given utilities allow partitioning and formatting the stick as a HD-like device.

An alternative is using in Windows XP a "Filter Driver" such as cfadisk.sys or dummydisk.sys that "tricks" XP in seeing the flag in the controller set as "Fixed" and thus allow Disk Management to partition the disk.

So, if you try re-formatting your stick as-is from Windows XP, it will assume the (currently containing "wrong" data) MBR to be a valid one and will re-create a "non-right" filesystem, which may nonetheless work, as it did yours, but that it is NOT advised as it may create problems on some machines, or with other OS.

If you try re-formatting your stick after having wiped it from Windows XP, it will assume that you want to create a "super-floppy" filesystem, which again works allright for the use you make it, but hat may be more problematic to recover in case of failure.

While I just want to learn more if there is any technical reasons...

There is no "needed" technical reason, it as an "advised" technical one.

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF

-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Which you saw in the testdisk List view being RED:

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF

-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

to evidentiate how they were DELETED files.

When you delete a file on a FAT filesystem it is NOT actually deleted, simply first character of it's name in the FAT table is overwritten by a "special" character (that testdisk shows as an underscore) to signify that that allocation is free and that it can be overwritten.

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?

Yep, from the date/time of those files, you can track when the Virus wrote them, each _UTORUN.INF file you can see (and that you should delete once finished playing with them) is a single attempt of infection (or re-infection) by the Virus.

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

Thanks Again for sharing !

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

And I only experiment this on the extracted image file.

hope to hear your advise...

ngpc

:w00t:

0

Share this post


Link to post
Share on other sites
Thanks Again for sharing !

You are welcome. :)

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...:whistle:

Seriously:

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses. ;)

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:

http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:

http://mirror.href.com/thestarman/asm/mbr/index.html

And of course the good ol' "Primer":

http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:

http://www.ranish.com/part/

and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:

http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:

http://www.davereyn.co.uk/

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.

Not a "similar value", a value can be either of two things:

  • Right
  • Wrong

(no space for "similar")

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

0

Share this post


Link to post
Share on other sites
99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

0

Share this post


Link to post
Share on other sites
Thanks Again for sharing !

You are welcome. :)

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...:whistle:

Seriously:

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses. ;)

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:

http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:

http://mirror.href.com/thestarman/asm/mbr/index.html

And of course the good ol' "Primer":

http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:

http://www.ranish.com/part/

and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:

http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:

http://www.davereyn.co.uk/

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.

Not a "similar value", a value can be either of two things:

  • Right
  • Wrong

(no space for "similar")

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

Thanks Jaclaz,

Don't kill me until one day, I become as professional as you are, ha ha ....

Anyway, thanks so much for your help in the past week and your generous sharing of your knowledge ! I did learnt a lot !

ngpc

:hello::thumbup

0

Share this post


Link to post
Share on other sites
99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

NO. :(

They have two LUN's:

http://www.911cd.net/forums//index.php?sho...20186&st=16

http://www.911cd.net/forums//index.php?sho...20186&st=27

(of which one is a CD-ROM device and the other one is a "normal disk", which may be partitioned, but usually isn't)

Also, FYI:

http://www.msfn.org/board/index.php?showtopic=121502

http://www.msfn.org/board/index.php?showtopic=125138

BTW, the bootsector of ngpc's stick was formatted as FAT16 06 (CHS) and had a bootsector invoking DOS system file IO.SYS.

I have NEVER seen myself or read ANY report of such a stick being formatted like that in factory.

The unbalanced CHS/LBA makes me think of the use of the "HP" formatting utility and the n/64/32 of the use of VDK (which defaults to that geometry) or Winimage, that can use that geometry in some cases.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Hi, jaclaz!

Our USB drive suddenly exhibited the same symptoms as ngpc's: When attempting to access it, Windows claims that it isn't formatted. I assume you want to start with a copy of Testdisk's log report. It's attached. MSFN's attachment system wouldn't allow me to upload it when it was named testdisk.log, so I added .txt to the file name.

Thank you for your help!

testdisk.log.txt

0

Share this post


Link to post
Share on other sites

Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

bs.bin.txt

MBR.bin.txt

Edited by doniel
0

Share this post


Link to post
Share on other sites
Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

Really? :w00t:

Could this connected to this part of the referenced post?: :unsure:

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.

:whistle:

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

It may have been the right choice, but unfortunately, BOTH the files you posted are just a (nice, rounded ;)) collection of digital 00's. :(

This could mean EITHER:

  1. that something went wrong while extracting/copying the sectors/files
  2. that you got the right \\.\Physicaldrive AND the extracting/copying went allright BUT the sectors on the stick are actually all 00's

My guess is that unfortunately it is #2 above, which can be caused by three things:

  1. partial accidental wiping (of some initial sectors) of the device (not good, but leaving some hopes)
  2. total accidental wiping of the device (bad)
  3. device controller or flash memory malfunctioning (bad)

Can you describe with as much detail as you can remember how this thing happened, if there were previous symptoms of failure, if any particular program was run against the stick, if the stick was EVER attached to an unprotected by antivirus PC, etc.?

Let's try again with a slightly different approach.

Get dsfo (within the DSFOK toolkit):

http://members.ozemail.com.au/~nulifetv/fr...ware/index.html

Open a command prompt and run from the directory where you unzipped dsfo.exe:

dsfo \\.\Physicaldrive2 0 102400 C:\first200.dat

Compress C:\first200.dat to a .zip and attach to your next post the resulting archive.

If you have access to a hosting site of some kind (even a free one like megaupload or rapidshare would do) AND the stick did not contain privete/personal data that I shouldn't see, create a "full" image of the stick (you will need as much available space on your hard disk as the size of the stick + say another half size for the compressed file) by running:

dsfo \\.\Physicaldrive2 0 0 C:\fullima.dat

Compress C:\fullima.dat to a .zip, upload the resulting archive to the filehosting site and send me via PM the download link...

If it's not all 00's some partial recovery may be still possible.

By the way, you didn't need to provide a link - all you had to do was tell me to scroll to the top of this page!

A link is a link, and generally stays linked ;)

"Relative" addresses, such as "look at top of the page" may change depending on which particular view you are seeing this thread with, and from a number of other reasons.

jaclaz

0

Share this post


Link to post
Share on other sites

Sorry. I've been checking several times a day for your reply, but never realized that we'd gone to a page 3. I'll post a proper reply as soon as I can.

Thank you!

0

Share this post


Link to post
Share on other sites

Really? Could this connected to this part of the referenced post

Compress the two files in a .zip archive and post it as an attachment

Didn't realize that your request for a zip file was to get around attachment system restrictions.

"Relative" addresses, such as "look at top of the page" may change depending on which particular view you are seeing this thread with, and from a number of other reasons.

Point taken.

first200.zip attached.

Hope to be able to u/l full image. Will let you know. But first, I need an answer from you. Winrar won't let me break up the full image into smaller files in zip format. Do you have a problem with rar format?

Thanks again, jaclaz!

doniel

FIRST200.zip

0

Share this post


Link to post
Share on other sites

Unfortunately the whole file you sent is made of 00's. :(

No problem with .rar, the good (or bad) thing is that if the whole image is made of 00's the compressed file will be very, very small.

So, try compressing the image in a "monolithic" .zip or .rar, if the result is very small, it means that it contains mostly 00's, on the other hand, if the resulting archive is "biggish" it means that some data is still there, and then you can re-create it in splitted .rar files.

Is there any chance that the \\.\PhysicalDrive2 may be "wrong"?

I don't think so as if the device does not exist dsfo should throw an error.

Which size is the "full" image (without compression)?

Is it compatible with the "label" size of the stick?

It could be that simply something in the controller or in the flash memory has gone "beserk". :unsure:

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Full image uncompressed is about 7.5 GB. Rar is 4.7 GB. It's going to take me quite some time to u/l. Will let you know as it gets done so that you can d/l it as they get posted.

0

Share this post


Link to post
Share on other sites
Full image uncompressed is about 7.5 GB. Rar is 4.7 GB. It's going to take me quite some time to u/l. Will let you know as it gets done so that you can d/l it as they get posted.

the 4.7 GB size of the compressed image is (besides being "huge" :blink: ) a good sign that at least some data is still on the stick. :)

jaclaz

0

Share this post


Link to post
Share on other sites

Unfortunately it seems like the WHOLE image is made of 00's. :(

I am scanning it right now, but in about first 2/3 of it I couldn't find but zeroes.

This is NOT "normal".

To get to this condition one of the following cases applies:

  • stick has been (accidentally or intentionally) wiped (to wipe a flash memory means writing 00's to it, which for an 8 Gb stick should take several minutes, so you should have noticed it)
  • stick has been "zapped" or "fried" by some overcurrent or overvoltage (but usually when this happens it is the controller that gets fried, see below)
  • something is wrong in the hardware (the controller seems OK, as the stick is recognized by Windows, so it should be the actual flash, but if you are lucky it could also be a "real hardware" failure, such as a cold or broken soldering)

I guess that your only remaining thing to try is to "crack" open the stick enclosure and inspect both visually and with a ohmmeter the continuity of tracks and chips's pins.

If this check reveals no problems, depending on the value you attribute to the data on the stick, it may be the case to ask a professional to try and take off the stick the flash and mount it on another (identical) stick/controller.

Of course you can do this attempt by yourself, but managing surface mounted components (as stick chips usually are) is not that easy for a non-expert and with "rudimental" tools, I guess it depends on your manual skills and experience. :unsure:

jaclaz

P.S.: For the record and for other users, the image once compressed, resulted in a 4.7 Mb file, not as initially posted 4.7 Gb.

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

I guess that your only remaining thing to try is to "crack" open the stick enclosure and inspect both visually and with a ohmmeter the continuity of tracks and chips's pins.

I tried to pry the cover off using a small flathead screwdriver, with no success. Is it possible to get the cover off without ruining it, or do I need to break it off?

0

Share this post


Link to post
Share on other sites
I tried to pry the cover off using a small flathead screwdriver, with no success. Is it possible to get the cover off without ruining it, or do I need to break it off?

It greatly depends on the actual model of the stick, a few are simply two plastic shells that you can separate by using a knife (you will probably break anyway the case, but if you are careful with these it can be re-glued together) some are more "tough" and need to be cut/broken.

jaclaz

0

Share this post


Link to post
Share on other sites

I don't know if this is sloved but I am inputting my input.

My USB-pen/stick/flash would do the exact same thing. It would not read on Windows XP, but instead give me a document folder instead. A folder that proclaimed "THE DRIVE IS UNREADABLE". However on my Win98 machine, it would read the drive. When I used it on a Imac machine (white) I was able to read the drive with no problems.

Back on my 98 machine after running Scandisk ( when the drive appeared to have nothing ) it was able to recover disk data. I forget if I did or did not format the disk.

Sometimes when I hook a hardrive to my PC. Especially one that I have not used for ages. It reports a misfire ( whatever) of space. I ran scandisk, and it recovered all my files but left the names with there shorten DOS counterparts.

I could only assume it has something to do with the last computer you used the machine on.

The end result is me getting/finding another USB drive lying around in the street. Since this would occur over and over again when I had to use the USB drive multiuple times, moving from machine to machine.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.